Ransomware gangs now frequently threaten physical violence against employees and their families as a way to force victim organizations into paying their demands.
According to a survey of 1,500 security and IT professionals conducted by Censuswide on behalf of security firm Semperis, digital intruders are still holding more traditional threats of system lockouts (52 percent) and data destruction (63 percent) over their victims’ heads.
However, almost half (47 percent) of those surveyed across industries and geographies also reported that attackers have threatened to file regulatory complaints against them along the lines of ALPHV’s SEC complaint against fintech firm MeridianLink for failing to notify the American financial regulator of a significant security breach.
More worrisome, however, is that 40 percent of respondents reported receiving physical threats from the miscreants.
“The threats of physical harm are pretty scary,” Jeff Wichman, Semperis’ director of breach preparedness and response, told The Register. “I am afraid of what’s next.”
Before leading the incident response team at Semperis, which specializes in preventing attacks against Active Directory, Wichman worked as a professional ransomware negotiator and saw extortionists call executives whose companies had been infected with data-locking malware.
“It was threats against their family members: what their [internet] surfing traffic was, what they did at home,” Wichman said. “The attackers know where the executives live, they know where their families are, they know where their kids go to school.”
The physical threats tend to be generic to ratchet up the fear-factor, he added. “If I tell you, ‘I’m going to attack your kids at school,’ you increase the security at school, whereas if I just say ‘I’m gonna attack your family,’ when we go to the grocery store, when we go to the movie theater, when we go to school, it makes it a little bit scarier. I don’t think the attackers are going to tip their hand at what sort of violence — yet.”
Wichman expects the threats to become more common and severe. “I would say in the next 12 months,” he said. “Attackers will find any way feasible to force a payment.”
Semperis’ annual report paints a bleak picture of the state of ransomware attacks. The majority — 78 percent of respondents — were hit by a ransomware attack over the past 12 months, which is a slight decrease compared to last year’s 83 percent.
Of those, 56 percent were successful ransomware infections. However, 73 percent of those victims suffered multiple attacks and 31 percent were attacked three or more times.
But despite this small drop in attacks, businesses took longer to recover from infections. Only 23 percent said they recovered within a day, compared to 39 percent last year. Meanwhile, 18 percent required between one week and one month, compared to 11 percent in 2024.
“I would attribute that to the attackers compromising the environment and damaging it sufficiently enough where an organization has to rebuild their environment, sometimes from backup and other times from a clean slate,” Wichman said.
Plus, on average, 15 percent of victims who paid the ransom demand didn’t receive usable decryption keys, and another 3 percent say their stolen data leaked anyway.
“I don’t believe any organization should pay an attacker and think they are safe,” Wichman said. “I’ve seen many examples where attackers state they’re deleting the information and they never delete it. It’s juicy information they can resell. Why wouldn’t they take it and make more money?” ®
